File 0cf6bbb63ffe0c12777664d80b2797923844c8392d0fd81d7962ee5ee2c3c3d9_atapi.sys

Size 25.8KB Resubmit sample
Type PE32+ executable (native) x86-64, for MS Windows
MD5 74b14192cf79a72f7536b27cb8814fbd
SHA1 682d6d307311c01734aeba17df3debec272d67b0
SHA256 0cf6bbb63ffe0c12777664d80b2797923844c8392d0fd81d7962ee5ee2c3c3d9
SHA512
cdff60e98a81e6a32460398d499a2b2ae2a3ba508938bfc859846017964743501dd7b5bb0ec56ee27eaad3776eb209b4422f61f6ffa87fb5b2585311d66520e1
CRC32 834BDFFA
ssdeep 384:BzzoyRLALMDTEPU5dPIv2V1uBmm9wieS52uYRWTbUwW/oYA5vDBRJARCIleAp8xt:BzoENvEPk+v2+guemOGRh1PoCQpKZn
PDB Path atapi.pdb
Yara
  • IsPE64 -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings

Score

This file appears fairly benign with a score of 0.6 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Oct. 19, 2018, 6:29 p.m. Oct. 19, 2018, 6:33 p.m. 252 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2018-10-19 18:29:13 2018-10-19 18:33:25

Analyzer Log

2018-10-19 11:29:13,030 [analyzer] DEBUG: Starting analyzer from: C:\vfaphgs
2018-10-19 11:29:13,201 [analyzer] DEBUG: Pipe server name: \\.\PIPE\pLZvjiRsBWpfojOYWijbXVGUKL
2018-10-19 11:29:13,201 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\OeCqhLtnVTAPemYVIPDkoAuS
2018-10-19 11:29:15,214 [analyzer] DEBUG: Started auxiliary module Disguise
2018-10-19 11:29:15,605 [analyzer] DEBUG: Loaded monitor into process with pid 508
2018-10-19 11:29:15,651 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-10-19 11:29:15,651 [analyzer] DEBUG: Started auxiliary module Human
2018-10-19 11:29:15,651 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-10-19 11:29:15,651 [analyzer] WARNING: Cannot execute auxiliary module Reboot: [Errno 2] No such file or directory: 'C:\\vfaphgs\\reboot.json'
2018-10-19 11:29:15,901 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-10-19 11:29:15,901 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2018-10-19 11:29:15,901 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-10-19 11:29:15,901 [analyzer] INFO: No process IDs returned by the package, running for the full timeout.
2018-10-19 11:33:18,279 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-10-19 11:33:18,279 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-10-19 11:33:18,279 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-10-19 18:29:13,464 [lib.cuckoo.core.scheduler] INFO: File already exists at "/opt/cuckoo/storage/binaries/0cf6bbb63ffe0c12777664d80b2797923844c8392d0fd81d7962ee5ee2c3c3d9"
2018-10-19 18:29:13,483 [lib.cuckoo.core.scheduler] INFO: Task #34: acquired machine win7x64 (label=win7x64)
2018-10-19 18:29:13,542 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 18961 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/34/dump.pcap)
2018-10-19 18:29:23,674 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2018-10-19 18:29:32,600 [modules.auxiliary.reboot] ERROR: Reboot analysis is not backwards compatible with the Old Agent, please upgrade your target machine (<Machine('1','win7x64')>) to the New Agent to use the reboot analysis capabilities.
2018-10-19 18:33:24,390 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2018-10-19 18:33:25,990 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-10-19 18:33:27,125 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f54bebd0bd0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-19 18:33:27,126 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f54bebd0850>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-19 18:33:27,126 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f54bebd0a50>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-19 18:33:27,127 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f54bebd0690>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-19 18:33:27,128 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f54bebd0690>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f54bebd0690>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
This executable has a PDB path (1 event)
pdb_path atapi.pdb
The executable has PE anomalies (could be a false positive) (1 event)
section INIT

Screenshots

No screenshots available.

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

PE Compile Time

2013-08-22 07:40:39

PDB Path

atapi.pdb

Signing Certificate

MD5 9b8768cf26b91e1c2dda86ddd8f6ac53
SHA1 812705d0eddce07c8a1dccd9dc6e50c5e3d19219
Serial Number 330000002418fc0b689e7399d0000000000024
Common Name Microsoft Windows
Country US
Locality Redmond

Version Infos

LegalCopyright \xa9 Microsoft Corporation. All rights reserved.
InternalName atapi.sys
FileVersion 6.3.9600.16384 (winblue_rtm.130821-1623)
CompanyName Microsoft Corporation
ProductName Microsoft\xae Windows\xae Operating System
ProductVersion 6.3.9600.16384
FileDescription ATAPI IDE Miniport Driver
OriginalFilename atapi.sys
Translation 0x0409 0x04b0

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00002c2f 0x00002e00 6.20617587139
.rdata 0x00004000 0x0000045c 0x00000600 3.18283211641
.data 0x00005000 0x00000010 0x00000200 0.281091870762
.pdata 0x00006000 0x000001f8 0x00000200 4.09158925225
INIT 0x00007000 0x00000394 0x00000400 4.34464858024
.rsrc 0x00008000 0x000003f8 0x00000400 3.40591769265
.reloc 0x00009000 0x00000048 0x00000200 0.138729518149

Imports


!This program cannot be run in DOS mode.
Richk)
h.rdata
H.data
.pdata
B.reloc
t$ WAVAWH
@A_A^_
UVWATAUAVAWH
0A_A^A]A\_^]
x ATAVAWH
A_A^A\
|$ AVH
t$ WATAUAVAWH
A_A^A]A\_
VWATAVAWH
A_A^A\_^
WATAUAVAWH
A_A^A]A\_H
t$ WATAUAVAWH
0A_A^A]A\_
WAVAWH
f9u"H
A_A^_
D$puH
atapi.pdb
AtaPortRequestCallback
AtaPortReleaseRequestSenseIrb
AtaPortCopyMemory
AtaPortConvertPhysicalAddressToUlong
AtaPortCompleteRequest
AtaPortNotification
AtaPortBuildRequestSenseIrb
AtaPortQuerySystemTime
AtaPortReadPortBufferUshort
AtaPortInitialize
AtaPortGetPhysicalAddress
AtaPortCompleteAllActiveRequests
AtaPortGetParentBusType
AtaPortStallExecution
AtaPortReadPortUchar
AtaPortDeviceStateChange
AtaPortWritePortUchar
AtaPortEtwTraceLog
AtaPortGetUnCachedExtension
AtaPortWritePortUlong
AtaPortWritePortBufferUshort
AtaPortGetDeviceBase
AtaPortGetScatterGatherList
ataport.SYS
Washington1
Redmond1
Microsoft Corporation1.0,
%Microsoft Windows Production PCA 20110
130617214338Z
140917214338Z0p1
Washington1
Redmond1
Microsoft Corporation1
Microsoft Windows0
MOPR1301
*31612+09a6d5f3-8125-416a-b9b1-447d2c25afa90
Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a
Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0
_eUQC{
Washington1
Redmond1
Microsoft Corporation1200
)Microsoft Root Certificate Authority 20100
111019184142Z
261019185142Z0
Washington1
Redmond1
Microsoft Corporation1.0,
%Microsoft Windows Production PCA 20110
i%(\6
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
Washington1
Redmond1
Microsoft Corporation1.0,
%Microsoft Windows Production PCA 2011
http://www.microsoft.com/windows0
G<!,Z%
20130822124433.246Z0
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher DSE ESN:B8EC-30A4-71441%0#
Microsoft Time-Stamp Service
Washington1
Redmond1
Microsoft Corporation1200
)Microsoft Root Certificate Authority 20100
100701213655Z
250701214655Z0|1
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 20100
$`2X`F
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
oK0D$"<
r~akow
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 20100
130327201314Z
140627201314Z0
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher DSE ESN:B8EC-30A4-71441%0#
Microsoft Time-Stamp Service0
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher DSE ESN:B8EC-30A4-71441%0#
Microsoft Time-Stamp Service
Washington1
Redmond1
Microsoft Corporation1
MOPR1'0%
nCipher NTS ESN:B027-C6F8-1D881+0)
"Microsoft Time Source Master Clock0
20130822122332Z
20130823122332Z0w0=
)uu"$#,^
i&dc!_
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 2010
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 2010
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
ATAPI IDE Miniport Driver
FileVersion
6.3.9600.16384 (winblue_rtm.130821-1623)
InternalName
atapi.sys
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
atapi.sys
ProductName
Microsoft
Windows
Operating System
ProductVersion
6.3.9600.16384
VarFileInfo
Translation
"Microsoft Window
Legal_Policy_Statement
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Cylance Clean
AegisLab Clean
CrowdStrike Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
TrendMicro Clean
Baidu Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
Babable Clean
ViRobot Clean
Rising Clean
Ad-Aware Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
Invincea Clean
McAfee-GW-Edition Clean
Fortinet Clean
TheHacker Clean
Ikarus Clean
Cyren Clean
Jiangmin Clean
Webroot Clean
Avira Clean
MAX Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
Sophos Clean
AhnLab-V3 Clean
McAfee Clean
TACHYON Clean
VBA32 Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
ESET-NOD32 Clean
Tencent Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
GData Clean
AVG Clean
Cybereason Clean
Paloalto Clean
Qihoo-360 Clean

Process Tree


Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.
Task ID 34
Mongo ID 5bca5bb711d30829883cdf6a
Cuckoo release 2.0-dev